Dns tunnel detection/prevention
Michael De Roover
isc at nixmagic.com
Thu May 22 19:09:58 UTC 2025
On Thursday, May 22, 2025 4:23:05 PM CEST Karol Nowicki via bind-users wrote:
> Does ISC Bind software by native has any dns tunneling prevention embedded?
> Thanks
BIND on its own does not do this. Assuming that you are running it on a LAN as
a resolver meanwhile, you can make it the only thing that can communicate on
port 53 to the Internet. That is the job of your firewall, and yours to
configure. You'll probably also want to prevent DoT (853) from going out at
all, though its sibling DoH will be a lot harder to filter for.
As you've probably already realized by now, security is by no means a "slap
software X or Y on it and call it a day" type of ordeal. One could argue that
if you have a piece of malware attempting to make a DNS tunnel to get commands
from a C2 or whatever, you (or whoever else owns that machine) shouldn't be
running that software in the first place. Which in itself is a multifaceted
policy question.
(Apologies if this is to be sent twice, I was working on my mail servers as I
wrote this message.)
--
Met vriendelijke groet,
Michael De Roover
Mail: isc at nixmagic.com
Web: michael.de.roover.eu.org
More information about the bind-users
mailing list